Reddit Hit with Record £14.5m Fine Over Children's Data Breach in the UK
The Information Commissioner's Office (ICO) has levied a substantial £14.5m penalty against the social news platform Reddit for its unlawful handling of children's personal data. This marks the largest fine ever issued by the UK regulator for a breach of children's privacy, highlighting significant failures in protecting young users online.
Unlawful Data Processing and Exposure Risks
According to the ICO, Reddit did not establish a lawful basis for processing the personal information of a large number of children under the age of 13 on its platform. The regulator found that the company's reliance on self-declared age checks was insufficient, as it was easily bypassed, thereby failing to prevent minors from accessing the service. Additionally, Reddit neglected to conduct a mandatory data protection impact assessment to evaluate and mitigate risks to children before January 2025.
Information Commissioner John Edwards stated, "Children under 13 had their personal information collected and used in ways they could not understand, consent to or control. That left them potentially exposed to content they should not have seen. This is unacceptable and has resulted in today's fine." The breach potentially exposed these young users to inappropriate and harmful material, raising serious concerns about online safety.
Reddit's Response and Age Verification Measures
Reddit has announced its intention to appeal the decision, arguing that the ICO's demands conflict with its commitment to user privacy. A spokesperson for the company said, "The ICO's insistence that we collect more private information on every UK user is counterintuitive and at odds with our strong belief in our users' online privacy and safety." Reddit emphasized that it does not require users to share identity information, regardless of age, due to its deep commitment to privacy and safety, and it removes users under 13 as per its user agreement, which requires users to state they are at least 13 years old.
In response to regulatory pressures, Reddit introduced enhanced age verification measures in July, including requirements for UK users to upload a selfie or government ID to access mature content such as pornography, in compliance with the Online Safety Act. However, the ICO noted that these changes came too late to address the prior breaches.
Historical Context and Regulatory Implications
This £14.5m fine is the third-largest ever imposed by the ICO, following a £20m penalty for British Airways in 2018 and an £18.4m fine for Marriott Hotels in 2014. The decision underscores the growing regulatory focus on protecting children's data in the digital age. Edwards added, "Companies operating online services likely to be accessed by children have a responsibility to protect those children by ensuring they're not exposed to risks through the way their data is used. To do this, they need to be confident they know the age of their users and have appropriate, effective age assurance measures in place. Reddit failed to meet these expectations."
The case highlights the ongoing challenges in balancing user privacy with regulatory compliance, particularly as platforms adapt to new laws like the Online Safety Act. It serves as a stark reminder for tech companies to implement robust age verification systems and proactive risk assessments to safeguard vulnerable users.
